<!DOCTYPE html>
<html>
<head>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
<script>
var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "https://hm.baidu.com/hm.js?d890b1f16fb364253e79c5bb20225c3a";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>


    

    

    
<!-- Baidu Tongji -->
<script>var _hmt = _hmt || []</script>
<script async src="//hm.baidu.com/hm.js?busuanzi_value_site_uv"></script>
<!-- End Baidu Tongji -->




    <meta charset="utf-8">
    <meta name="baidu-site-verification" content="FYMCShbUK8" />
    <meta name="baidu-site-verification" content="ZYRF7OxQRW" />
    <meta name="baidu-site-verification" content="cHSqtjI0PN" />
    <meta name="baidu-site-verification" content="cHSqtjI0PN" />
    <meta name="baidu-site-verification" content="cHSqtjI0PN" />
    
    
    <link rel="canonical" href="https://hhardyy.com/2018/07/01/Web安全之XSS、SQL注入/">
    
    
    <title>Web安全之XSS、SQL注入 | 小方块 - hhardyy.com | 复杂的坑+归其原理+了解实现规则===解决？解决成功：加油解决成功;</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <meta name="theme-color" content="#958e93">
    
    
    <meta name="keywords" content="XSS,Sql注入">
    <meta name="description" content="XSS跨站脚本攻击，是一种在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。">
<meta name="keywords" content="XSS,Sql注入">
<meta property="og:type" content="article">
<meta property="og:title" content="Web安全之XSS、SQL注入">
<meta property="og:url" content="http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/index.html">
<meta property="og:site_name" content="小方块 - hhardyy.com">
<meta property="og:description" content="XSS跨站脚本攻击，是一种在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。">
<meta property="og:locale" content="zh-CN">
<meta property="og:image" content="http://yoursite.com/images/websave/express2.JPG">
<meta property="og:image" content="http://yoursite.com/images/websave/express3.JPG">
<meta property="og:image" content="http://yoursite.com/images/websave/express4.JPG">
<meta property="og:image" content="http://yoursite.com/images/websave/express5.JPG">
<meta property="og:image" content="http://yoursite.com/images/websave/express6.JPG">
<meta property="og:image" content="http://yoursite.com/images/websave/HTML_UTITY.jpg">
<meta property="og:updated_time" content="2020-01-13T15:28:09.751Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Web安全之XSS、SQL注入">
<meta name="twitter:description" content="XSS跨站脚本攻击，是一种在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。">
<meta name="twitter:image" content="http://yoursite.com/images/websave/express2.JPG">
    
        <link rel="alternate" type="application/atom+xml" title="小方块 - hhardyy.com" href="/atom.xml">
    
    <link rel="shortcut icon" href="/hardyfavicon.ico">
    <link rel="stylesheet" href="//unpkg.com/hexo-theme-material-indigo@latest/css/style.css">
    <script>window.lazyScripts=[]</script>

    <!-- custom head -->
    

</head>

<body>
    <div id="loading" class="active"></div>

    <aside id="menu" class="hide" >
  <div class="inner flex-row-vertical">
    <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menu-off">
        <i class="icon icon-lg icon-close"></i>
    </a>
    <div class="brand-wrap" style="background-image:url(/img/paulGraham.jpg)">
      <div class="brand" style="background-color:#4154b2">
        <a href="/" class="avatar waves-effect waves-circle waves-light">
          <img src="/img/avatar.jpg">
        </a>
        <hgroup class="introduce">
          <h5 class="nickname">BingZhenhuang</h5>
          <a href="mailto:huangbingzhen@hhardyy.com" title="huangbingzhen@hhardyy.com" class="mail">huangbingzhen@hhardyy.com</a>
        </hgroup>
      </div>
    </div>
    <div class="scroll-wrap flex-col">
      <ul class="nav">
        
            <li class="waves-block waves-effect">
              <a href="/"  >
                <i class="icon icon-lg icon-home"></i>
                主页
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/archives"  >
                <i class="icon icon-lg icon-archives"></i>
                所有文章
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/tags"  >
                <i class="icon icon-lg icon-tags"></i>
                标签
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://github.com/HHardyy" target="_blank" >
                <i class="icon icon-lg icon-github"></i>
                Github
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://juejin.im/user/59a26f926fb9a02487553b04"  >
                <i class="icon icon-lg icon-pencil"></i>
                掘金-圳
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://segmentfault.com/u/hhardyy"  >
                <i class="icon icon-lg icon-comments"></i>
                Segmentfault
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://codepen.io/HHardyy/" target="_blank" >
                <i class="icon icon-lg icon-codepen"></i>
                Codepen
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/ZhenSolive/find.html" target="_blank" >
                <i class="icon icon-lg icon-globe"></i>
                原生直播间
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/hero/judge.html" target="_blank" >
                <i class="icon icon-lg icon-cloud"></i>
                原生小悟空
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/airPlay/HHardyy_PC.html" target="_blank" >
                <i class="icon icon-lg icon-camera"></i>
                原生飞机大战（PC）
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://www.freecodecamp.cn/hhardyy" target="_blank" >
                <i class="icon icon-lg icon-leaf"></i>
                Freecodecamp
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/友情链接"  >
                <i class="icon icon-lg icon-link"></i>
                友链
              </a>
            </li>
        
      </ul>
    </div>
  </div>
</aside>

    <main id="main">
        <header class="top-header" id="header">
    <div class="flex-row">
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light on" id="menu-toggle">
          <i class="icon icon-lg icon-navicon"></i>
        </a>
        <div class="flex-col header-title ellipsis">Web安全之XSS、SQL注入</div>
        
        <div class="search-wrap" id="search-wrap">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="back">
                <i class="icon icon-lg icon-chevron-left"></i>
            </a>
            <input type="text" id="key" class="search-input" autocomplete="off" placeholder="输入感兴趣的关键字">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="search">
                <i class="icon icon-lg icon-search"></i>
            </a>
        </div>
        
        
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menuShare">
            <i class="icon icon-lg icon-share-alt"></i>
        </a>
        
    </div>
</header>
<header class="content-header post-header">

    <div class="container fade-scale">
        <h1 class="title">Web安全之XSS、SQL注入</h1>
        <h5 class="subtitle">
            
                <time datetime="2018-07-01T08:16:36.000Z" itemprop="datePublished" class="page-time">
  2018-07-01
</time>


            
        </h5>
    </div>

    


</header>


<div class="container body-wrap">
    
    <aside class="post-widget">
        <nav class="post-toc-wrap" id="post-toc">
            <h4>TOC</h4>
            <ol class="post-toc"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#XSS的攻击方法"><span class="post-toc-number">1.</span> <span class="post-toc-text">XSS的攻击方法</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#1、反射型"><span class="post-toc-number">2.</span> <span class="post-toc-text">1、反射型</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#演示"><span class="post-toc-number">3.</span> <span class="post-toc-text">演示</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#路由router-index-js"><span class="post-toc-number">3.1.</span> <span class="post-toc-text">路由router/index.js</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#视图views-index-js"><span class="post-toc-number">3.2.</span> <span class="post-toc-text">视图views/index.js</span></a></li></ol></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#2、存储型"><span class="post-toc-number">4.</span> <span class="post-toc-text">2、存储型</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#反射型与存储型的区别"><span class="post-toc-number">5.</span> <span class="post-toc-text">反射型与存储型的区别</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#XSS防御"><span class="post-toc-number">6.</span> <span class="post-toc-text">XSS防御</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#1、编码"><span class="post-toc-number">6.1.</span> <span class="post-toc-text">1、编码</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#2、过滤"><span class="post-toc-number">6.2.</span> <span class="post-toc-text">2、过滤</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#3、校正"><span class="post-toc-number">6.3.</span> <span class="post-toc-text">3、校正</span></a></li></ol></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#SQL注入"><span class="post-toc-number">7.</span> <span class="post-toc-text">SQL注入</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#定义"><span class="post-toc-number">7.1.</span> <span class="post-toc-text">定义</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#原理"><span class="post-toc-number">7.2.</span> <span class="post-toc-text">原理</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#产生原因"><span class="post-toc-number">7.3.</span> <span class="post-toc-text">产生原因</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#危害性"><span class="post-toc-number">7.4.</span> <span class="post-toc-text">危害性</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#防御"><span class="post-toc-number">7.5.</span> <span class="post-toc-text">防御</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#So"><span class="post-toc-number">7.6.</span> <span class="post-toc-text">So?</span></a></li></ol></li></ol>
        </nav>
    </aside>
    
<article id="post-Web安全之XSS、SQL注入"
  class="post-article article-type-post fade" itemprop="blogPost">

    <div class="post-card">
        <h1 class="post-card-title">Web安全之XSS、SQL注入</h1>
        <div class="post-meta">
            <time class="post-time" title="2018-07-01 16:16:36" datetime="2018-07-01T08:16:36.000Z"  itemprop="datePublished">2018-07-01</time>

            


            

        </div>
        <div class="post-content" id="post-content" itemprop="postContent">
            <p>XSS跨站脚本攻击，是一种在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。</p>
<p><iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="86" src="//music.163.com/outchain/player?type=2&id=559926957&auto=0&height=66"></iframe><br><a id="more"></a></p>
<h3 id="XSS的攻击方法"><a href="#XSS的攻击方法" class="headerlink" title="XSS的攻击方法"></a>XSS的攻击方法</h3><p>XSS主要分为反射型和存储型两种，它与SQL注入攻击类似，SQL注入攻击中以SQL语句作为用户输入，从而达到的目的，而在xss攻击中，通过插入恶意脚本，实现对用户游览器的控制，获取用户的一些信息。</p>
<h3 id="1、反射型"><a href="#1、反射型" class="headerlink" title="1、反射型"></a>1、反射型</h3><p> 发出请求时，xss代码出现在url中，作为输入提交到服务器端，服务器端解析后响应，xss代码随响应内容一起传回给浏览器，最后浏览器解析执行xss代码。这个过程像一次反射。<br>（1）xss代码出现在url中，反射型代码特征=明文<br>（2）服务器端解析后响应，例如在serch中，参数serch传入，同value部分被一起传回。</p>
<h3 id="演示"><a href="#演示" class="headerlink" title="演示"></a>演示</h3><p>用express做了一个轻量级服务架构实例模拟xss的反射型攻击，装上依赖之后就可以跑起来。<br><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/images/websave/express2.JPG" alt="express艺术" title="">
                </div>
                <div class="image-caption">express艺术</div>
            </figure><br>路由下的接口通过query获取用户在浏览器中输入的serch的内容</p>
<h4 id="路由router-index-js"><a href="#路由router-index-js" class="headerlink" title="路由router/index.js"></a>路由router/index.js</h4><figure class="highlight javascript"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">var</span> express = <span class="built_in">require</span>(<span class="string">'express'</span>);</div><div class="line"><span class="keyword">var</span> router = express.Router();</div><div class="line"><span class="comment">/* GET home page. */</span></div><div class="line">router.get(<span class="string">'/'</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res, next</span>) </span>&#123;</div><div class="line">  res.render(<span class="string">'index'</span>, &#123; <span class="attr">title</span>: <span class="string">'Express'</span>,<span class="attr">xss</span>:req.query.xss&#125;);</div><div class="line">&#125;);</div><div class="line"><span class="built_in">module</span>.exports = router;</div></pre></td></tr></table></figure>
<h4 id="视图views-index-js"><a href="#视图views-index-js" class="headerlink" title="视图views/index.js"></a>视图views/index.js</h4><figure class="highlight javascript"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">&lt;div <span class="class"><span class="keyword">class</span></span>=<span class="string">""</span>&gt;</div><div class="line">    &lt;%- xss %&gt;   <span class="comment">//将那个接口获取的字段解析显示</span></div><div class="line">&lt;<span class="regexp">/div&gt;</span></div></pre></td></tr></table></figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/images/websave/express3.JPG" alt="用xss拼接上12之后" title="">
                </div>
                <div class="image-caption">用xss拼接上12之后</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/images/websave/express4.JPG" alt="xss" title="">
                </div>
                <div class="image-caption">xss</div>
            </figure>
<p>拼接上了恶意代码，被浏览器拦截，这里关掉浏览器的拦截，再重启服务器<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">router.get(<span class="string">'/'</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res, next</span>) </span>&#123;</div><div class="line">  res.set(<span class="string">'X-XSS-Protection'</span>,<span class="number">0</span>);</div><div class="line">  res.render(<span class="string">'index'</span>, &#123; <span class="attr">title</span>: <span class="string">'Express'</span>,<span class="attr">xss</span>:req.query.xss&#125;);</div><div class="line">&#125;);</div></pre></td></tr></table></figure></p>
<p>拼接上的html和js成功被执行<br><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/images/websave/express5.JPG" alt="xss" title="">
                </div>
                <div class="image-caption">xss</div>
            </figure><br>假如拼接上Iframe，植入广告，这里举例植入百度（我的百度皮肤是自己设置过的，所以可能不一样）<br><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/images/websave/express6.JPG" alt="百度成功被嵌入到了页面上" title="">
                </div>
                <div class="image-caption">百度成功被嵌入到了页面上</div>
            </figure></p>
<h3 id="2、存储型"><a href="#2、存储型" class="headerlink" title="2、存储型"></a>2、存储型</h3><p> 存储型xss和反射型xss的差别仅在于，提交的代码会存储在服务器端（数据库，内存，文件系统等），下次请求目标页面时不用再提交xss代码，和反射型的差别仅在于提交的代码的存储位置。<br> 存储型的代码不是query数据了，而是sql语句,两者的视图渲染流程一样<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">router.get(<span class="string">'/'</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res, next</span>) </span>&#123;</div><div class="line">  res.set(<span class="string">'X-XSS-Protection'</span>,<span class="number">0</span>);</div><div class="line">  res.render(<span class="string">'index'</span>, &#123; <span class="attr">title</span>: <span class="string">'Express'</span>,<span class="attr">xss</span>:sql()&#125;);</div><div class="line">&#125;);</div></pre></td></tr></table></figure></p>
<h3 id="反射型与存储型的区别"><a href="#反射型与存储型的区别" class="headerlink" title="反射型与存储型的区别"></a>反射型与存储型的区别</h3><p>代码不同：<br>1、反射型，通过req.query.xss获取用户输入进行的脚本攻击<br>2、存储型，xss：sql()，通过读缓存或者数据库进行的</p>
<h3 id="XSS防御"><a href="#XSS防御" class="headerlink" title="XSS防御"></a>XSS防御</h3><h4 id="1、编码"><a href="#1、编码" class="headerlink" title="1、编码"></a>1、编码</h4><p>   对用户输入的数据进行Html Entity编码<br>   <img src="/images/websave/HTML_UTITY.jpg" alt="Html Entity"></p>
<h4 id="2、过滤"><a href="#2、过滤" class="headerlink" title="2、过滤"></a>2、过滤</h4><p>  （1）移除用户上传的dom属性，如onerror等<br>  （2）移除用户上传的Style节点、Script节点、Iframe节点等<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">假如style&#123;<span class="attr">body</span>:display:none !important&#125;</div><div class="line">假如Script引入一个破坏的js，js对页面有<span class="number">100</span>%操作权限，非同意的</div><div class="line">假如iframe植入广告，假如植入之后诱导用户鼠标滑过某个地方就会触发某些事件处理函数</div></pre></td></tr></table></figure></p>
<h4 id="3、校正"><a href="#3、校正" class="headerlink" title="3、校正"></a>3、校正</h4><p>  (1)避免直接对HTML Entity解码（如果直接进行解码，过滤就没意义了）<br> （2）使用DOM Parse转换，转正不配对的DOM标签<br>  DOM Parse=把整个字符串或者文本转成dom结构，执行过滤，然后匹配不合适标签</p>
<p>页面中反转译输入内容，前端过滤不安全的标签以及不安全的属性，<br>不安全的标签有：script，style，link，iframe，frame，img等，只要是自动加载的，改变页面样式，能够执行js的标签<br>不安全的属性：onerror，onclick等，只要是能够执行js的属性</p>
<p><a href="https://github.com/HHardyy/XSS_demo" target="_blank" rel="external">express框架实现的demo地址</a></p>
<h3 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h3><h4 id="定义"><a href="#定义" class="headerlink" title="定义"></a>定义</h4><p>攻击者通过在应用程序中预先定义好的查询语句中加上额外的SQL语句元素，欺骗数据库服务器执行非授权的任意查询。</p>
<h4 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h4><p>通过畸形输入巧妙构造符合攻击要求的特殊SQL语句让数据库执行。<br>比如 你的检测语句是<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">select  * <span class="keyword">from</span>  user where name=<span class="string">'变量1'</span> and password=<span class="string">'变量2'</span></div></pre></td></tr></table></figure></p>
<p>如果能找到记录则判定登陆成功。<br>那么对方如果在填写用户名和密码的时候写密码’1’ or ‘1’=’1’,把这个替换到最后形成的sql语句就变成了<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">select  * <span class="keyword">from</span>  user where name=<span class="string">'1'</span> or <span class="string">'1'</span>=<span class="string">'1'</span> and password=<span class="string">'1'</span> or <span class="string">'1'</span>=<span class="string">'1'</span></div></pre></td></tr></table></figure></p>
<p>由于1=1是恒等的。也就会把所有记录给查出来。这样就可以达到不知道密码或者是用户名的情况下完成登陆。</p>
<h4 id="产生原因"><a href="#产生原因" class="headerlink" title="产生原因"></a>产生原因</h4><p>对输入缺乏检查过滤。</p>
<h4 id="危害性"><a href="#危害性" class="headerlink" title="危害性"></a>危害性</h4><p>通过合法途径执行非法语句，使安全措施失效，隐蔽性强。</p>
<h4 id="防御"><a href="#防御" class="headerlink" title="防御"></a>防御</h4><p>做好应用系统输入的检查、尽量不要用系统管理员用户连接数据库、尽量不要使用扩展存储过程</p>
<h4 id="So"><a href="#So" class="headerlink" title="So?"></a>So?</h4><p>1、SQL注入将恶意代码放置在SQL中执行<br>2、跨站脚本将恶意代码嵌入到html中执行<br>3、Cookie注入将将恶意代码放置到Cookie中欺骗服务器，或实现SQL和跨站脚本注入。</p>
<p><span style="color: red">对输入内容进行检查是防御注入攻击的有效方法,以尽可能低的权限运行服务可有效降低服务出现安全问题可能带来的风害。</span></p>

        </div>

        <blockquote class="post-copyright">
    <div class="content">
        
<span class="post-time">
    最后更新时间：<time datetime="2020-01-13T15:28:09.751Z" itemprop="dateUpdated">2020-01-13 23:28:09</time>
</span><br>


        
        谢谢浏览，我会继续努力的，示例：<a href="/2018/07/01/Web安全之XSS、SQL注入/" target="_blank" rel="external">http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/</a>
        
    </div>
    <footer>
        <a href="http://yoursite.com">
            <img src="/img/avatar.jpg" alt="BingZhenhuang">
            BingZhenhuang
        </a>
    </footer>
</blockquote>

        
<div class="page-reward">
    <a id="rewardBtn" href="javascript:;" class="page-reward-btn waves-effect waves-circle waves-light">赏</a>
</div>



        <div class="post-footer">
            
	<ul class="article-tag-list"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/Sql注入/">Sql注入</a></li><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/XSS/">XSS</a></li></ul>


            
<div class="page-share-wrap">
    

<div class="page-share" id="pageShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/&title=《Web安全之XSS、SQL注入》 — 小方块 - hhardyy.com&pic=http://yoursite.com/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/&title=《Web安全之XSS、SQL注入》 — 小方块 - hhardyy.com&source=XSS跨站脚本攻击，是一种在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。
" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《Web安全之XSS、SQL注入》 — 小方块 - hhardyy.com&url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/&via=http://yoursite.com" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>



    <a href="javascript:;" id="shareFab" class="page-share-fab waves-effect waves-circle">
        <i class="icon icon-share-alt icon-lg"></i>
    </a>
</div>



        </div>
    </div>

    
<nav class="post-nav flex-row flex-justify-between">
  
    <div class="waves-block waves-effect prev">
      <a href="/2018/07/03/Linux艺术/" id="post-prev" class="post-nav-link">
        <div class="tips"><i class="icon icon-angle-left icon-lg icon-pr"></i> Prev</div>
        <h4 class="title">Linux艺术</h4>
      </a>
    </div>
  

  
    <div class="waves-block waves-effect next">
      <a href="/2018/06/10/Vue全家桶/" id="post-next" class="post-nav-link">
        <div class="tips">Next <i class="icon icon-angle-right icon-lg icon-pl"></i></div>
        <h4 class="title">Vue全家桶</h4>
      </a>
    </div>
  
</nav>



    














</article>

<div id="reward" class="page-modal reward-lay">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <h3 class="reward-title">
        <i class="icon icon-quote-left"></i>
        🤠 请我喝可乐！
        <i class="icon icon-quote-right"></i>
    </h3>
    <div class="reward-content" style="width:50%">
        
        <div class="reward-code" style="text-align:center">
            <div style="width:300px;margin:0px auto;">
               <img id="rewardCode" style="width:50%;height:60%;display:block; margin:0px auto;" src="/img/alipay.jpg" alt="支付宝打赏二维码">
               <span style="display:inline-block; margin-bottom:20px;">0.88(支付宝 aliPay)</span>
               <img id="rewardCode" style="width:50%;height:60%;display:block; margin:0px auto;" src="/img/wechat.jpg" alt="微信打赏二维码">
               <span style="display:inline-block;">0.88(微信 weChat)</span>
            </div>
        </div>
    </div>
</div>



</div>

        <script>
!function(e,t,a){function n(){c(".heart{width: 10px;height: 10px;position: fixed;background: #f00;transform: rotate(45deg);-webkit-transform: rotate(45deg);-moz-transform: rotate(45deg);}.heart:after,.heart:before{content: '';width: inherit;height: inherit;background: inherit;border-radius: 50%;-webkit-border-radius: 50%;-moz-border-radius: 50%;position: fixed;}.heart:after{top: -5px;}.heart:before{left: -5px;}"),o(),r()}function r(){for(var e=0;e<d.length;e++)d[e].alpha<=0?(t.body.removeChild(d[e].el),d.splice(e,1)):(d[e].y--,d[e].scale+=.004,d[e].alpha-=.013,d[e].el.style.cssText="left:"+d[e].x+"px;top:"+d[e].y+"px;opacity:"+d[e].alpha+";transform:scale("+d[e].scale+","+d[e].scale+") rotate(45deg);background:"+d[e].color+";z-index:99999");requestAnimationFrame(r)}function o(){var t="function"==typeof e.onclick&&e.onclick;e.onclick=function(e){t&&t(),i(e)}}function i(e){var a=t.createElement("div");a.className="heart",d.push({el:a,x:e.clientX-5,y:e.clientY-5,scale:1,alpha:1,color:s()}),t.body.appendChild(a)}function c(e){var a=t.createElement("style");a.type="text/css";try{a.appendChild(t.createTextNode(e))}catch(t){a.styleSheet.cssText=e}t.getElementsByTagName("head")[0].appendChild(a)}function s(){return"rgb("+~~(255*Math.random())+","+~~(255*Math.random())+","+~~(255*Math.random())+")"}var d=[];e.requestAnimationFrame=function(){return e.requestAnimationFrame||e.webkitRequestAnimationFrame||e.mozRequestAnimationFrame||e.oRequestAnimationFrame||e.msRequestAnimationFrame||function(e){setTimeout(e,1e3/60)}}(),n()}(window,document);
</script>
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<script>
    function secondToDate(second) {
        if (!second) {
            return 0;
        }
        var time = new Array(0, 0, 0, 0, 0);
        if (second >= 365 * 24 * 3600) {
            time[0] = parseInt(second / (365 * 24 * 3600));
            second %= 365 * 24 * 3600;
        }
        if (second >= 24 * 3600) {
            time[1] = parseInt(second / (24 * 3600));
            second %= 24 * 3600;
        }
        if (second >= 3600) {
            time[2] = parseInt(second / 3600);
            second %= 3600;
        }
        if (second >= 60) {
            time[3] = parseInt(second / 60);
            second %= 60;
        }
        if (second > 0) {
            time[4] = second;
        }
        return time;
    }</script>
<script type="text/javascript" language="javascript">
    function setTime() {
        var create_time = Math.round(new Date(Date.UTC(2017, 08, 18, 11, 42, 23)).getTime() / 1000);
        var timestamp = Math.round((new Date().getTime() + 8 * 60 * 60 * 1000) / 1000);
        currentTime = secondToDate((timestamp - create_time));
        currentTimeHtml = 'Running：' + currentTime[0] + '年 ' + currentTime[1] + '天 '
                + currentTime[2] + '时 ' + currentTime[3] + '分 ' + currentTime[4]
                + '秒';
        document.getElementById("htmer_time").innerHTML = currentTimeHtml;
    }    setInterval(setTime, 1000);
</script>
<footer class="footer">
    <div class="top">
        

        <p>
          <span id="busuanzi_container_page_pv">
             [&nbsp;浏览量：&nbsp;<span id="busuanzi_value_page_pv"></span>&nbsp;]
          </span>
        </p>
    </div>
    <div class="bottom">
        <p>
        <span>BingZhenhuang &copy; 2017 - 2020</span>
            <span>
                
                Power by <a href="https://hhardyy.github.io/" target="_blank">zhen On August 8</a> 
            </span>
            <span id="htmer_time" "></span>
        </p>
    </div>
</footer>

    </main>
    <div class="mask" id="mask"></div>
<a href="javascript:;" id="gotop" class="waves-effect waves-circle waves-light"><span class="icon icon-lg icon-chevron-up"></span></a>



<div class="global-share" id="globalShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/&title=《Web安全之XSS、SQL注入》 — 小方块 - hhardyy.com&pic=http://yoursite.com/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/&title=《Web安全之XSS、SQL注入》 — 小方块 - hhardyy.com&source=XSS跨站脚本攻击，是一种在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。
" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《Web安全之XSS、SQL注入》 — 小方块 - hhardyy.com&url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/&via=http://yoursite.com" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=http://yoursite.com/2018/07/01/Web安全之XSS、SQL注入/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>


<div class="page-modal wx-share" id="wxShare">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <p>扫一扫，分享到微信</p>
    <img src="" alt="微信分享二维码">
</div>




    <script src="//cdn.bootcss.com/node-waves/0.7.4/waves.min.js"></script>
<script>
var BLOG = { ROOT: '/', SHARE: true, REWARD: true };


</script>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/main.min.js"></script>


<div class="search-panel" id="search-panel">
    <ul class="search-result" id="search-result"></ul>
</div>
<template id="search-tpl">
<li class="item">
    <a href="{path}" class="waves-block waves-effect">
        <div class="title ellipsis" title="{title}">{title}</div>
        <div class="flex-row flex-middle">
            <div class="tags ellipsis">
                {tags}
            </div>
            <time class="flex-col time">{date}</time>
        </div>
    </a>
</li>
</template>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/search.min.js" async></script>








<script>
(function() {
    var OriginTitile = document.title, titleTime;
    document.addEventListener('visibilitychange', function() {
        if (document.hidden) {
            document.title = '(•‾̑⌣‾̑•)✧˖°回来看我';
            clearTimeout(titleTime);
        } else {
            document.title = '(゜-゜)つロ欢迎回来';
            titleTime = setTimeout(function() {
                document.title = OriginTitile;
            },2000);
        }
    });
})();
</script>



</body>
</html>
